darren_moffat@blog$ cat /dev/mem | grep /dev/urandom

All | General | Security | Solaris
« Mercurial Links | Main | Missing Apple Mac... »

20080430 Wednesday April 30, 2008

Simple CLI based CA on Solaris

With the recently added ability to sign PKCS#10 certificate request files the pktool(1) command of OpenSolaris can be used as a very simple Certificate Authority, similar to what can be done with the openssl(1) command but in my opinion in a much clearer way and actually providing stronger security. I'll outline the basic commands below but some external "database" will be needed to keep the serial number count and some other state needed to be a useful CA.

First Generate root CA - this is by definition self-signed

admin$ pktool gencert keystore=file outcert=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1 outkey=myCA.key

Generate a user CSR in PKCS#10 format

user$ pktool gencsr keystore=file outcsr=sample.p10 \
  subject="CN=darren,OU=people,DC=EXAMPLE,DC=COM" outkey=sample.key
The user then sends the PKCS#10 certificate request to the administrator for signing.

Sign the PKCS#10 CSR with the root CA

admin$ pktool signcsr keystore=file signkey=myCA.key csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"

Increasing the CA security

The above example stores the master CA key in a file but we can do better than that and store it in a PKCS#11 accessible hardware keystore. It would looks something like this: 
admin$ pktool gencert keystore=pkcs11 label=myCA \
  subject="CN=test,DC=EXAMPLE,DC=COM" serial=0x1
Enter PIN for Sun Software PKCS#11 softtoken  :

We now have the key in a PKCS#11 accessible keystore that is PIN protected, the sign operation is almost the same: 

admin$ pktool signcsr keystore=pkcs11 signkey=myCA  csr=sample.p10 \
  outcert=sample.cert format=pem serial=0x1001 \
  issuer="CN=small-CA,DC=EXAMPLE,DC=COM"
Enter PIN for Sun Software PKCS#11 softtoken  :

Note that we didn't explicitly specify the PKCS#11 token to use but pktool(1) allows us to do so.

Similarly the user can use a PKCS#11 keystore when they run gencert.

( Apr 30 2008, 03:25:00 PM BST ) Permalink

Comments:

Post a Comment:

Comments are closed for this entry.

Valid HTML! Valid CSS!


follow darrenmoffat at http://twitter.com
Get OpenSolaris Use OpenOffice.org

This is a personal weblog, I do not speak for my employer.